Researchers Need to Focus on Defenses, Not Bug Hunting: Adobe

Adobe wants researchers to focus on mitigation technologies that make it expensive for attackers to launch attacks, not hunting bugs.

CANCUN,
Mexico  Security researchers need to shift their attention away from hunting
for vulnerabilities and start thinking about ways to make it difficult to create
exploits, according to a security expert from Adobe.
There is too much focus on vulnerabilities and defects in
software, Brad Arkin, director of product security and privacy at Adobe, said
in his keynote speech at the Kaspersky Lab Security Analyst Summit Feb. 2.
Instead of vulnerabilities, security researchers should be thinking about how
to make it too expensive to target those applications, Arkin said.

Security
researchers are typically involved in offensive research, and often provide
enough information or a proof-of-concept that makes it easier for attackers
interested in developing an exploit, Arkin said. Once the research is published
or presented at a conference, the information is readily available without the
attacker having to invest in original research. Tweaks to an existing exploit
result in malware variants.

If you publish a paper about a new technique, a previously
hard technique becomes easy, Arkin said.
To illustrate his point, Arkin discussed the recently disclosed
and patched zero-day vulnerability in Adobe Reader. Attacks that exploited that
flaw were extremely focused on defense industrial base firms. Fewer than 20
machines, spread across a number of defense companies were targeted in the
attacks, according to Arkin.
Despite the sophisticated nature of the attack, the attackers
took a shortcut to create the exploit. The zero-day vulnerability was exploited
using a three-year-old proof-of-concept code written by a security researcher,
according to Arkin. The exploit was publicly available so they didn't have to
figure out how to use the vulnerability.

"The
skill of writing something first is very high, but it is far easier to adapt
an existing code sample, Arkin said.
Arkin was not telling the
security researchers in the audience that they shouldn't discuss their
discoveries. However, he felt they should stop to consider that cyber-criminals
treat the publicly disclosed exploits as free R&D for their purposes.
Offensive researchers need to consider the consequences of
what happens once an exploit or technique gets out there, Arkin said.
Arkin said in a perfect world,
people would disclose vulnerabilities to only people who would never do
anything malicious with the information. However, as this isn't the perfect world, researchers
should err on the side of caution and consider how they disclose the information,
he said.
Instead of
finding new offensive techniques, it is far more valuable to find ways to make
it harder to attack vulnerabilities, according to Arkin.
Recent security
innovations, such as address space layout randomization and data execution
prevention, have been instrumental in driving up the cost of attacking products
that use them, Arkin said.
For example,
Arkin noted that the exploit that targeted defense companies in the recent attack was
blocked in Acrobat and Reader X, which had the Protected Mode sandbox. Adobe had to rush out an out-of-band patch for
Adobe Reader and Acrobat 9.x for Windows because that version did not have the
protection technology built-in. The vulnerability in Reader and Acrobat X for
Windows was patched as part of Adobe's
scheduled update in January.
Adobe's
goal is not to try to address every vulnerability discovered in the software,
but to make it harder to drive up the cost of writing exploits by investing in
mitigation technologies. Only about two-dozen vulnerabilities in Adobe products
identified in the past two years have actually been matched with exploit code,
Arkin said.
Finding a
bug is fairly straightforward, writing an exploit is harder, and writing a reliable exploit that works all the time is even harder, Arkin
said.
Arkin
noted that whenever an exploit module is added to the Metasploit penetration-testing suite, attacks targeting that vulnerability skyrocket. There's a
clear correlation between the public release of information and people getting
attacked, Arkin said.